From: Markus Koschany <apo@debian.org>
Date: Sun, 30 Oct 2022 20:13:30 +0100
Subject: CVE-2022-0554

Origin: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8
---
 src/buffer.c                  | 26 ++++++++++++++++++++++----
 src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 4cac106..912ace9 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1471,8 +1471,14 @@ do_buffer(
 		buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
 		if (buf != NULL)
 		{
-		    if (buf == curbuf || !buf->b_p_bl)
-			buf = NULL;	/* skip current and unlisted bufs */
+		    // Skip current and unlisted bufs.  Also skip a quickfix
+		    // buffer, it might be deleted soon.
+		    if (buf == curbuf || !buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    || bt_quickfix(buf)
+#endif
+			    )
+			buf = NULL;
 		    else if (buf->b_ml.ml_mfp == NULL)
 		    {
 			/* skip unloaded buf, but may keep it for later */
@@ -1509,7 +1515,11 @@ do_buffer(
 		    continue;
 		}
 		/* in non-help buffer, try to skip help buffers, and vv */
-		if (buf->b_help == curbuf->b_help && buf->b_p_bl)
+		if (buf->b_help == curbuf->b_help && buf->b_p_bl
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+			   )
 		{
 		    if (buf->b_ml.ml_mfp != NULL)   /* found loaded buffer */
 			break;
@@ -1527,7 +1537,11 @@ do_buffer(
 	if (buf == NULL)	/* No loaded buffer, find listed one */
 	{
 	    FOR_ALL_BUFFERS(buf)
-		if (buf->b_p_bl && buf != curbuf)
+		if (buf->b_p_bl && buf != curbuf
+#if defined(FEAT_QUICKFIX)
+			    && !bt_quickfix(buf)
+#endif
+		       )
 		    break;
 	}
 	if (buf == NULL)	/* Still no buffer, just take one */
@@ -1536,6 +1550,10 @@ do_buffer(
 		buf = curbuf->b_next;
 	    else
 		buf = curbuf->b_prev;
+#if defined(FEAT_QUICKFIX)
+	    if (bt_quickfix(buf))
+		buf = NULL;
+#endif
 	}
     }